A flaw was found in the way exim validated recipient addresses. A remote attacker could use this flaw to execute arbitrary commands on the exim server with the permissions of the user running the application.
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Name: Qualys Research Labs
As per the reporter:
"Exim is vulnerable by default since version 4.87 (released on April 6,2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019)"
Therefore lower versions of exim (Red Hat Enterprise Linux ships exim-4.63) are not affected by this flaw.
Exim is vulnerable since version 4.87, therefore the version of exim package (exim-4.63) shipped with Red Hat Enterprise Linux 5 is not affected by this flaw.
Created exim tracking bugs for this issue:
Affects: epel-all [bug 1716935]
The above fix was included in mainline / 4.92 via the following commit from Sep 2018: